Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Frontrunning of some initializers to grief deployment possible #201

Closed
Tracked by #88
code423n4 opened this issue Oct 24, 2022 · 1 comment
Closed
Tracked by #88

Frontrunning of some initializers to grief deployment possible #201

code423n4 opened this issue Oct 24, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) invalid This doesn't seem right responded The Holograph team has reviewed and responded sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-10-holograph/blob/24bc4d8dfeb6e4328d2c6291d20553b1d3eff00b/src/HolographBridge.sol#L63
https://github.com/code-423n4/2022-10-holograph/blob/24bc4d8dfeb6e4328d2c6291d20553b1d3eff00b/src/HolographFactory.sol#L44
https://github.com/code-423n4/2022-10-holograph/blob/24bc4d8dfeb6e4328d2c6291d20553b1d3eff00b/src/HolographOperator.sol#L141

Vulnerability details

Impact

The initializer function (init) is callable by anyone, not only the deployer of the contracts. For some contracts that are deployed by a factory (e.g., Holographer), this is not problematic because the factory will immediately initialize after deployment (in the same transaction), meaning no frontrunning is possible. However, some contracts (like the factory itself) are not deployed with a smart contract. For these, someone can frontrun the init call. In the worst case, when this is not detected, a deployment with wrong parameters (e.g., a different admin) is used. But even if it is detected, an attacker could continously front-run the call to make all deployments unusable.

Proof Of Concept

The HolographFactory contract is deployed and an attacker frontruns the init call. Because this deployment becomes useless, it is deployed again and the call is frontrun again, and again, and again...

Recommended Mitigation Steps

Store the deployer (temporarily), only let this address initiate the contracts.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 24, 2022
code423n4 added a commit that referenced this issue Oct 24, 2022
@code423n4
Lambda issue #201
fe489a8
@gzeoneth gzeoneth mentioned this issue Oct 28, 2022
Closed
@gzeoneth gzeoneth added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Oct 28, 2022
This was referenced Oct 28, 2022
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Open
@alexanderattar
Copy link

The Genesis contract deploys so this cannot be frontrun.

@alexanderattar alexanderattar added sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue responded The Holograph team has reviewed and responded labels Nov 8, 2022
@gzeoneth gzeoneth added the invalid This doesn't seem right label Nov 19, 2022
@ACC01ADE ACC01ADE mentioned this issue Nov 22, 2022
Merged
53 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) invalid This doesn't seem right responded The Holograph team has reviewed and responded sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexanderattar @code423n4 @gzeoneth